CMAC M ODE FOR A UTHENTICATION 3 T hi s pub lic at io n i s av ai lab le f ree of c har g e f rom : h ttp s : doi .or g 10. 6 02 8 N IST .SP. 8 -38 B Least Significant Bits The right-most bits of a bit string. Message Authentication Code MAC A bit string of fixed length, computed by a MAC generation algorithm, that is used to establish the authenticity and, hence, the integrity of a message. MAC Generation Generation An algorithm that computes a MAC from a message and a key. MAC Verification Verification An algorithm that verifies if a purported MAC is valid for a given message and key. Mode of Operation Mode An algorithm for the cryptographic transformation of data that features a symmetric key block cipher. Most Significant Bits The left-most bits of a bit string. NIST National Institute of Standards and Technology. Permutation An invertible function. Subkey A secret string that is derived from the key. Subkey Generation An algorithm that derives subkeys from a key. TDEA Triple Data Encryption Algorithm.

4.2 Symbols

4.2.1 Variables b The bit length of a block. R b The constant string for subkey generation for a cipher with block size b. K The block cipher key. K1 The first subkey. K2 The second subkey. Key1 The first component of a TDEA key. Key2 The second component of a TDEA key. CMAC M ODE FOR A UTHENTICATION 4 T hi s pub lic at io n i s av ai lab le f ree of c har g e f rom : h ttp s : doi .or g 10. 6 02 8 N IST .SP. 8 -38 B Key3 The third component of a TDEA key. M The message. M i The ith block of the formatted message. M n The final block, possibly a partial block, of the formatted message. Mlen The bit length of the message. n The number of blocks in the formatted message. T The MAC. Tlen The bit length of the MAC. 4.2.2 Operations and Functions   x The least integer that is not less than the real number x. X || Y The concatenation of two bit strings X and Y. X ⊕Y The bitwise exclusive-OR of two bit strings X and Y of the same length. CIPH K X The output of the forward cipher function of the block cipher under the key K applied to the block X. LSB s X The bit string consisting of the s right-most bits of the bit string X. MSB s X The bit string consisting of the s left-most bits of the bit string X. X 1 The bit string that results from discarding the leftmost bit of the bit string X and appending a ‘0’ bit on the right. lgx The base 2 logarithm of the positive real number x. s The bit string that consists of s ‘0’ bits. 5 Preliminaries The elements of CMAC and the associated notation are introduced in the five sections below. Examples of operations and functions are given in Sec. 5.1. The underlying block cipher and key are discussed in Sec. 5.2. The two subkeys that are derived from the key are discussed in Sec. 5.3. MAC generation and verification are discussed in Sec. 5.4. The input and output data for MAC generation are discussed in Sec. 5.5. CMAC M ODE FOR A UTHENTICATION 5 T hi s pub lic at io n i s av ai lab le f ree of c har g e f rom : h ttp s : doi .or g 10. 6 02 8 N IST .SP. 8 -38 B

5.1 Examples of Operations and Functions

Given a positive integer s, 0 s denotes the string that consists of s ‘0’ bits. For example, 0 8 = 00000000. Given a real number x, the ceiling function, denoted x, is the least integer that is not less than x. For example, 2.1 = 3, and 4 = 4. The concatenation operation on bit strings is denoted ||; for example, 001 || 10111 = 00110111. Given bit strings of equal length, the exclusive-OR operation, denoted ⊕, specifies the addition, modulo 2, of the bits in each bit position, i.e., without carries. For example, 10011 ⊕ 10101 = 00110. Given a bit string X, the functions LSB s X and MSB s X return the s least significant i.e., right- most bits and the s most significant i.e., left-most bits, respectively, of X. For example, LSB 3 111011010 = 010, and MSB 4 111011010 = 1110. Given a bit string X that consists of Xlen bits, the single left-shift function, denoted X 1, is LSB Xlen X || 0. For example, 1101110 1 = 1011100. Given a positive real number x, its base 2 logarithm is denoted lgx. For example, lg2 10 = 10.

5.2 Block Cipher